General

  • Target

    c83d89624f4b413b33a8535e942fb543_JaffaCakes118

  • Size

    12.8MB

  • Sample

    241205-r95znsvqck

  • MD5

    c83d89624f4b413b33a8535e942fb543

  • SHA1

    2644db3a8706369e8cadbde5480f9252d25ddbbe

  • SHA256

    eb4f398465dd5dac1636447a265f692a73e3be0bc91f94df72ddd123cae98d84

  • SHA512

    8f1c620a475f490ce2257cab8d2f411c6d28546f310ba9a20fe1351d2a8085eea79cf9839809332070731695a7bd6de206ef2b456b3cc8268b243647fe66c7b3

  • SSDEEP

    49152:V2mNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNd:Q

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c83d89624f4b413b33a8535e942fb543_JaffaCakes118

    • Size

      12.8MB

    • MD5

      c83d89624f4b413b33a8535e942fb543

    • SHA1

      2644db3a8706369e8cadbde5480f9252d25ddbbe

    • SHA256

      eb4f398465dd5dac1636447a265f692a73e3be0bc91f94df72ddd123cae98d84

    • SHA512

      8f1c620a475f490ce2257cab8d2f411c6d28546f310ba9a20fe1351d2a8085eea79cf9839809332070731695a7bd6de206ef2b456b3cc8268b243647fe66c7b3

    • SSDEEP

      49152:V2mNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNd:Q

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks